Consumers have a new law in New York to thank for providing additional protection from identity theft and data breaches. The law, which was passed by the state legislature in June in response to the rash of record-breaking data breaches and updated regulations, spells out how companies must respond when a breach event occurs.

The new law in New York even applies to businesses outside of the state. If the victims of the breach are New Yorkers, the company must comply with the steps outlined in the law no matter where they are located. This can have a domino effect of sorts since disclosing the breach to those residents can help make consumers in other states aware that a breach has occurred, even if they are not going to be receiving notification letters due to their locations.

Moreover, the SHIELD Act in New York will cover biometric data, not just personal identifiable information like Social Security numbers or usernames and passwords. If a company gathers and stores things like fingerprints or blood type, that information is now considered worthy of triggering a data breach notification. In the past, different states have had different rules on what requires a notification letter, and until now, biometric data was not included in New York.

Further, the SHIELD Act will require companies to inform victims as quickly as possible that their information was compromised. If there are more than 500 victims from New York the company is also required to inform the state’s Attorney General’s office. It also outlines which types of information require a notification letter, such as email addresses and passwords, birthdates and SSNs.

The SHIELD Act signed last week by Governor Cuomo, goes into effect in March 2020. It is based on a lot of consumer protection concepts that were put into place in Europe under the GDPR regulations that were enacted last year. The new law in New York was also inspired in part by the Equifax data breach from a year ago, an event in which 147 million consumers had their complete identities stolen by hackers.

For its part, Equifax has now launched its claims website for consumers to find out instantly if their information has been compromised. If it has, the steps for filing a claim and seeking compensation are included on the site. The claims site can be found at EquifaxBreachSettlement.com.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

How to File an Equifax Claim for Data Breach Settlement

How To: Place a Free Credit Freeze

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

 

Data breach laws can vary from state to state in terms of notification. For years some states did not even have laws in place that required companies to inform victims if their data had been compromised in a breach. Laws vary depending on not only the location of the company that was breached, but also the location of the victims.

Washington state has had data breach laws in place for years, but those laws had a somewhat limited scope. Currently in Washington, if certain pieces of data – like your Social Security number – are not impacted in a breach, the company does not have to offer protection service or notify victims of the incident.

A new bill in Washington would expand the definition for sensitive data to include things like your birthdate, health insurance number, student ID or military ID number and more. This essentially broadens the terms of what can trigger a required notification.

The need for this change grew out of the increase in data breaches and the growing numbers of residents whose identifying information was compromised in data breaches. More than 3 million residents of that state had their data accidentally or intentionally attacked in a one-year period from July 2017 to June 2018. With breach on the rise, Washington is taking action with their data breach laws.

This new bill would not only broaden the types of personal data that are covered, but also reduce the length of time that a company has to report the breach. The current notification law gave the affected businesses 45 days to notify the state’s attorney general of a data breach, and this new bill would reduce that to 30 days. The difference of those two weeks can make an enormous impact in minimizing the damage of victims.

Of course, laws such as this one can be seen as a double-edged sword. Supporters, security experts and consumer advocates understand that there are many different kinds of identity theft, and that serious harm can result even without stealing someone’s Social Security number. However, critics view it through the eyes of the organizations and businesses, and how it may hurt them in the event of a data breach. It is important to remember that businesses who collect and store consumers’ personally identifiable information have an obligation to protect it. If they fail in that regard, then they should have to offer information and support to the customers who were affected.

The Identity Theft Resource Center and Futurion have partnered and launched a tool called Breach Clarity, which takes publicly-available data breach information and breaks down both the threat and that actionable steps for consumers.

Watch Our New Free Webinar: Deciphering the Code of Data Breach Notifications


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: What To Know About Payment Apps and Security

By ITRC CEO, Eva Velasquez

For victims of identity crimes there are emotional, physical and lost opportunity costs experienced even when resources are provided quickly and competently. The government shutdown will make the aftermath for these victims worse.  The Identity Theft Resource Center’s AftermathTM series sheds light on the less obvious but equally devastating effects of various identity crimes.  It also highlights the downstream impacts regularly faced by victims.  Right now, we are dealing with an obvious challenge on a national scale with the federal government shutdown. In keeping with our mission of advocating for victims, and increasing awareness of the complexity of the identity crime issue, I want to highlight some of the less obvious downstream effects our team is seeing impact not only victims but all citizens during this shutdown.

There is considerable attention being paid to the obvious consequences, and rightly so. Many folks, from federal employees to those that rely on government assistance to meet their basic needs, are certainly enduring hardship. However, there are other impacts, which are less obvious, and I feel compelled to share this perspective. This is not to make the point that these impacts are greater, or causing more harm than the ones previously mentioned, rather it is to shine some light on these less obvious consequences so that decision-makers and the public realize this is happening, and understand both the short term and long-term effects.

Currently, many departments of the federal government are shutdown. This includes the Federal Trade Commission.  The FTC and the ITRC share similar mission, and a strong collaborative relationship.  We have worked together on many initiatives to better the outcomes for identity crime victims. The individuals that we have worked with at the agency are amazing people, dedicated to helping victims and stopping the identity thieves. The resources that the FTC provides are an invaluable part of the remediation process.

What is notable about the shutdown for this department is that while ftc.gov remains fully functional, the identity theft assistance arm, identitytheft.gov and the associated call center are non-operational. That’s right; the website that victims go to for these invaluable resources is dark. Victims currently cannot obtain the FTC identity theft affidavit that is a critical first step for many, if not most, identity theft remediation plans.

Government shutdown advisory from identitytheft.gov

Until identitytheft.gov comes back online victims will need to go to their local police department and get a police report to move forward with proving their innocence. This is creating an increased workload for these local departments, a burden that was only recently lifted due to changes in the Fair Credit Reporting Act that allowed the FTC affidavit to serve as the report from a law enforcement agency in lieu of a police report.

If you believe that is not a big deal and at least there is some type of workaround, please realize that law enforcement agencies are not equipped to provide robust victim services for financial crimes victims (generally), which means they are not providing victims with remediation plans or helping them to put their lives back together.  Their job is to investigate, get the bad guy, and hopefully stop the thief from harming others. Those plans come from the FTC and the Identity Theft Resource Center. As second tier responder, the ITRC receives referrals from the FTC, but with them unavailable, we’re now in the position to have to assist those victims as a first responder.

If for some reason there’s a belief that identity crimes are not a big deal, listen to what the victims are saying to understand that is not the case. You can read our Aftermath study and hear it directly from them.

The ITRC and all its resources are here for victims. We can be reached through our website www.idtheftcenter.org and our call center at 888-400-5330. Bear in mind that the shutdown has created an increase in our call volume, so please be patient.

In addition to the short term consequences, there are several long-term impacts that one will only be able to measure fully when this crisis has passed and we can unpack it using hindsight and data. One of the questions is has there been an increase in the actual number of incidents during this time period. The temporary closure of the investigative bodies that act as a deterrent will have some impact and decades of personal experience working with law enforcement and observing criminal behavior leads me to the conclusion: “Of course there will.” Identity thieves are opportunistic. Who actually believes they are not talking with each other and managing their efforts to capitalize on LESS oversight?

Another question: how much worse will the impact be for those that fall victim to identity crime during this window of closure? The ITRC knows from experience that early detection of this crime leads to quicker remediation and lessens the trauma, not to mention the total impact. We also know that consumers experience intense fear upon discovery of being a victim of identity theft. The availability of a plan of action allows them to feel empowered; giving them the ability to fight back against the powerlessness they might be feeling. Some will minimize this reaction and continue to see victims of economic crimes as overreacting, but I assure you that it’s not an overreaction. Those feelings are real. Moreover, when they cannot access the assistance they need, when they need it, it increases that feeling of powerlessness. Imagine that you come home to find that your home burglarized. It is obvious that the burglars are long gone, but all of your belongings have been touched and gone through, and many are missing. You feel violated. You need help and you need to get this reported and resolved. You call the police to get that help and are told they are closed, until further notice, so you just have to wait and try to wade through it. You think, can I clean things up? Do I have to take pictures? What if I mess something up and it creates more problems down the road. That’s exactly what identity crime victims are feeling when they get to the inoperable FTC website. Powerless.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

When it comes to a credit freeze, consumers have to ask themselves when they should take this step, and why. The “when” is easy… the answer is NOW. There are very few reasons to leave your credit report unfrozen, all of them stemming from your life circumstances that involve high-volume spending, the need for new accounts or other similar, limited situations.

But “why”, is a little more difficult to explain. Your credit report is the document that gives lenders an idea of what kind of borrower you are. It contains lengthy information on your previous spending and payoffs, your open lines of credit, the amount of debt you carry, and more. However, this report is also the tool that lenders need in order to issue you a new account or line of credit; no report, no new credit card or car purchase.

It’s easy to see how blocking access to that report can prevent new lines of credit from being issued, and that goes a long way towards protecting you from fraud if someone steals or fabricates your identity. When the criminal applies for a new credit card, home utilities, a car or other similar account, the credit report will come back to the lender as “frozen,” essentially blocking the account.

This is one of the strongest measures consumers can take to help reduce their risk of financial identity theft. There are other ways your personally identifiable information fall into the wrong hands can harm you, but new account fraud is one of the easiest but most devastating scenarios. At the same time, there are not many other actionable steps consumers can take that can have this much of an impact on identity theft and fraud.

Remember when we said you should do it right now? There’s never been a better time. New legislation goes into effect this week that will remove the fees associated with freezing and thawing your credit report. Even though it takes time to “thaw” should you need it (a few business days, typically), you will no longer have to pay a fee for protecting your credit report this way. All three of the reporting agencies—Experian, Equifax, and TransUnion—will no longer charge this fee thanks to legislation that was passed after the Equifax data breach.

In order to freeze your credit, here are a few steps to take. While you handle that, remember that you’re also entitled to one free copy of your credit report from each of the three major reporting agencies every year. You don’t have to request them all at once, though, so you can stagger your requests a few months apart and get a look at your credit report all throughout the year.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

A very strict new set of regulations concerning citizens’ data protection are set to take effect in the European Union (EU) this year, and these rules have businesses re-evaluating their current cybersecurity practices.

Called the General Data Protection Regulation, or GDPR for short, these regulations not only mandate how businesses that gather customer data must protect it, they also outline the severe penalties that companies will face for violating it.

Unfortunately for business owners (but fortunately for customers, especially those who’ve had their information stolen in the past), the GDPR does not differentiate how the data was compromised. Basically, if you collected it and stored it, you are the reason it was sitting there for a hacker to steal. Whether the information was stolen because of a rogue employee, sloppy or faulty cybersecurity protocols, or simply the incredible skills of a cybercriminal, the method no longer matters. It was the business’ job to secure it or not have it in the first place.

US business owners might be breathing a sigh of relief, thankful that these regulations are way over there in Europe. However, that relief is misplaced. If your company does business in the EU—whether you have a branch office there or you’re just a vendor who accepts international customers—you can find yourself held to these regulations, especially if there’s a problem down the road.

According to CSO Online, the following criteria for determining compliance can apply:

  • A presence in an EU country.
  • No presence in the EU, but it processes personal data of European residents.
  • More than 250 employees.
  • Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.

These regulations were adopted in the EU in April of 2016, but companies have until May 2018 to be in full compliance. To find out more about these requirements and how they affect your company, find out more at the EU’s GDPR website.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

In the wake of large-scale data breaches like the recently announced Equifax breach, lawmakers are taking a closer look at the protections their current laws offer to both consumers and businesses.

In too many cases, officials have found that the current laws don’t do nearly enough to afford any kind of protection. A new bill in New York called the SHIELD Act, introduced by the Attorney General’s office, gives the state two key avenues to protect consumers. First, it outlines the kinds of security measures that companies must deploy if they gather sensitive information about citizens. New York currently has very little in the way of set regulations for how businesses must protect information if they don’t collect critical data like Social Security numbers.

However, the Equifax breach did involve an estimated 143 million SSNs, so the existing New York breach notification law does detail the steps to be followed after a breach. That’s where the second part of the SHIELD Act comes in: litigation. The new bill would allow the state to sue companies on behalf of New Yorkers who are affected by a data breach that exposes their personal identifiable information. Furthermore, this new law would also build on existing notification laws by specifying exactly what information needs to be provided to consumers following a data breach.

The Equifax breach has raised a lot of concern for a number of reasons, namely that the event occurred and was discovered by the company in late July 2017, but wasn’t announced until late September.

Events like this one are the focus of NY Attorney General Eric T. Schneiderman’s efforts with this new bill. The goal of protecting consumers can only be reached when the public can be certain their data is stored safely, and when they have all the facts concerning security incidents involving their information.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

As someone who is concerned about personal security and privacy, you probably already know that your Social Security number—especially combined with your birthdate and a few other key pieces of information—is the Holy Grail of identity theft.

A complete record can be sold online, can help someone assume your entire identity, or used in a variety of other ways. It might lead to financial fraud like new credit cards or the opening of utility accounts, or even criminal identity theft, such as providing your identity at the time someone else is arrested. With your complete details, a thief can apply for government benefits, apply for a job, rent an apartment, even have major surgery and stick you with the bill.

Unfortunately, thanks to a record-setting few years for data breaches, a lot of citizens’ SSNs are “floating around” out there for criminals to use. At one point, complete identity records were so abundant on the internet’s black market that they were actually losing dollar value due to a supply-and-demand glut.

To help in the fight against identity theft and fraud, U.S. Rep. David Valadao (R-CA) has proposed new legislation in the House that will stop the widespread sharing of your Social Security number, at least from the government’s end. The Social Security Fraud Prevention Act, H.R. 624, would clarify which specific instances warranted a person’s full SSN to be printed on a government-issued document, and other times when it simply isn’t necessary. If the situation doesn’t warrant the printing of the SSN, then it would have to be partially redacted or removed entirely from those government documents.

Social Security numbers have long been used as identification. Colleges once used it as your student ID number, and it was printed on the face of your ID card. Anyone who’s served in the military can attest that until recently, it was printed on everything from your orders to your medical file to your laundry bag back in boot camp. Only in recent years has there been a greater concern with protecting this vital identifier.

Other Congressmen have joined in this bipartisan effort, all with the hope of curbing some of the already rampant and ever-increasing statistics for identity theft and fraud. Similar efforts have been introduced in the Senate to go along with this bill.


How much information are you putting out there? It’s probably too much. We are here to help you stop sharing Too Much Information. Sign up for the TMI Weekly.

Tax refund fraud and government identity theft go hand-in-hand to create a multi-billion-dollar problem every year.

While thieves still target consumers’ credit card information and bank accounts, they’ve learned that the real money is in your more permanent information, like your Social Security number. With that piece of the puzzle, they can file fraudulent tax returns and make off with a virtually untraceable payday.

Maryland has been hit particularly hard by tax return fraud, and as a result of a new bill –the Taxpayer Protection Act of 2017 – has been introduced to prevent tax fraud, protect taxpayer information and hold fraudulent filers and tax preparers accountable.  Maryland Gov. Larry Hogan recently proposed legislation, that was initially put forth by the state’s Comptroller, Peter Franchot, after seeing firsthand how many fraudulent tax returns were halted last year. The number of fraudulent filings his office blocked—13,000 returns for a total of more than $21 million—is only a portion of the crime, and both Hogan and Franchot are certain that many more returns slipped through undetected, costing the taxpayers in the end.

The bill will include a number of new provisions, like sharing the responsibility for enforcing tax fraud laws under the Comptroller’s office, as well as other law enforcement agencies. The goal is to give more authority to investigate reports to as wide a group of officials as possible, taking some of the burdens off of already-overworked police units. At the same time, it also recognizes that investigating these crimes can be very daunting, so it extends the statute of limitations from three years to six years, which actually matches the federal statute.

But there’s one key aspect to this bill that seeks to prevent tax return fraud at one of the known sources: the tax preparers. While it does not in any way support the idea that legitimate tax preparers are at fault for this kind of crime, their industry’s good name has been smudged in recent years by identity theft rings that front as “fly by night” tax prep services. This legislation will also provide even stricter penalties for tax preparers who steal data through their work, as well as provide fines for actual tax preparers who undercut or report inflated amounts in the hopes their customer will get a bigger return. Finally, it prevents actual tax prep firms from hiring anyone during the “busy season” who is not registered with the state’s Board of Tax Preparers.

This bill replaces one that did not pass last year, despite overwhelming support in the state’s House of Delegates.

How much information are you putting out there? It’s probably too much. To help you stop sharing Too Much Information, sign up for the TMI Weekly.

The fight against identity theft and fraud is an ongoing battle. Hackers and scammers come up with new ways to commit computer-based and identity crimes every day, and as they do, law enforcement officers and policymakers have to play “catch-up” in order to investigate and then prosecute. New York’s governor Andrew Cuomo addressed one of the chief problems—punishment for offenders as it currently stands—in a recent outline of his agenda for 2017.

Right now, someone who steals your identity and uses it for financial identity theft may face a predetermined legal sentence, just as offenders do in other crimes. But the current legal standing doesn’t fit the act, according to the governor’s office. He noted that someone who steals your stored online payment method from a website and wracks up $50,000-worth of credit card debt gets the same sentence as someone who hacks into a bank’s network and steals millions of dollars. Both of those are still treated as the same crime, something that the governor wants to correct by establishing a new class of felonies for different dollar amounts.

His announcement is part of a larger focus on computer tampering, identity theft, and other types of cybercrimes. It’s an issue that has impacted both the federal and state governments and stands to tie up valuable police resources in investigating criminals who are already hard to track down. With stiffer penalties and a more reasonable differentiation between the resulting dollar amounts of damage, the goal is to make the risk outweigh the benefit for criminals.

The proposal also works to address a growing problem for victims of computer crimes, which is the lack of up-to-date training for law enforcement and the growing sense among the public that nothing can really be done about this type of crime. The governor’s proposal would create a Cyber Incident Response Team, as well as establish increased penalties for cybercriminals who intentionally target senior citizens, the disabled, and other specific victim groups.

Governor Cuomo is certainly not alone in this fight. Rep. James Renacci (R-OH) introduced a bill to the House Ways and Means Committee that would address identity theft and tax refund fraud. Co-sponsored by thirteen of his colleagues, the “Stolen Identity Refund Fraud Prevention Act of 2017” addresses many different facets of tax-related government identity theft, including raising public awareness and faster notification for victims of fraud.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

The term “source code” might sound like something from a blockbuster Hollywood cyberthriller, but the reality is far less dramatic. A source code is the complete building block blueprint of any software title, website, or other similar technology, but it’s become something of a sore point for privacy experts thanks to a new international law.

China has enacted a new law that requires developers to provide their source code to the government for any software used within the country. The government says that this move is an effort to prevent hacking and data breaches, but the developers see it as a far more invasive move. Amid concerns over losing control over their products or having their software altered to fit the restrictions the government wishes to impose on its citizens, companies like Microsoft, IBM, and several others are balking at the new requirement.

To put this example in more everyday terms, it would be like a town’s council saying to a cookie baker, “You can’t sell your cookie here unless you give us your secret recipe.” Presumably, the town’s officials are just trying to keep the citizens safe from any harmful ingredients, but at the same time, the baker doesn’t want his money-making recipe in the hands of the city government. What’s to stop the city from opening its own bakery and selling the exact same cookies? Or worse, what’s to stop them from changing the ingredients and pretending it’s still the same baker’s recipe?

No one can argue with the need for better cybersecurity, especially in light of data breaches that exploit security flaws in software and websites. But at the same time, demanding the proprietary information behind the software can seem just as dangerous, at least on the outside. This is just one of the many issues that leave consumers scratching their heads, wondering whom to trust.

For consumers who are trying to protect themselves from both potentially faulty software and perceived government spying, strong antivirus protection and a VPN (Virtual Private Network) can be very useful. Antivirus software goes without saying; it’s a must for every tech user and needs to be updated routinely to protect against the latest threats. A VPN serves as a private tunnel onto the internet that keeps outsiders from spying on their computer use. There are a number of free and inexpensive VPN services that fit different consumers’ needs.

Connect with the ITRC through our 24-hour toll-free call center at (888) 400-5530, or on-the-go with the new IDTheftHelp app for iOS and Android.